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REMARKS 

As reflected in the above amendments, applicant intends to cancel 
claima 75 and 99 and incorporate their limitations into independent 
claims 53 and 77 respectively. However, for clarity in these remarks, 
applicant will first addresa the examiner's rejections of claims 75 
and 99, aa previously presented, under 35 U.S-C. 112, first and second 
paragraphs . 

The examiner has rejected claims 75. 76, 99, and 100 under 35 
U.S.C, 112, first paragraph as failing to cotnply with the written 
description requirement . 

Regarding claims 75 and 99, the examiner asserts that the 
specification does not appear to contain any references to instruction 
sets in general or a second instruction set being a sub-set of the 
third instruction set in particular. In both claims 75 and 99 the term 
"third instruction set" is used in error and is intended to read 
"first instruction set." See proposed amendments to claims 53 and 77 
above and discussion of 35 V.S.C. 112, 2nd paragraph rejections below. 
For the purposes of addressing the rejection under 35 U.S-C. 112, 1st 
paragraph, applicant assumes the claim correctly reads, "the second 
instruction set is a sub-set of the first instruction set." 

The specification states: "[the] rule program 66 comprises a set 
of operationsr selected from operations supported by the respective 
components of the network connection device 12" (page 19, lines 19-21, 
emphasis added). The specification also states: "the rule program 66 
is executed by the virtual machine 10" (page 33, line 15). Applicant 
submits that the operations supported by the respective components of 
the network connection device are appropriately described as the 
network connection device's "instruction set*" Applicant further 
submits that a person skilled in the art to which the present 
invention, as defined by claim 75, pertains, would recognize that the 
"operations supported by the respective components of the network 
connection device" (as recited at page 19, lines 19-21) constitute an 
instruction set of the network connection device, and that the "set of 
operations" selected therefrom is part of the instruction set and may 
thus properly be referred to as an instruction set. There is nothing 
objectionable in referring to the overall instruction set as a first 
instruction set and the selected set of operations as a second 
instruction set. Applicant therefore submits that claims 75 and 99, 
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amended to correct the inadvertent errors discussed belww, would 
comply with the written description requirement of 3 5 U.S.C 112, 
first paragraph* 

However, if the examiner disagrees, applicant would be willing to 
amend the claims to use the term "set of operations" in place of 
"instruction set*' where appropriate- 

Regarding claims 76 and 100, in light of the arguments regarding 
previously presented claims 75 and 99 above, applicant submits that 
claims 76 and 99 also comply with the written description requirement 
of U-S.C, 112, fir-3t paragraph. 

The examiner has rejected claims 55, 75, 76, 99, and 100 under 35 
U.S,C. 112, second paragraph as being indefinite for failing to point 
cut and distinctly claim the subject matter which applicant regards as 
the invention » 

Regarding claims 55 and 79, the examiner has asserted that the 
limitation "the second section being non-exclusive of the first 
section" is unclear. Applicant included the limitation at issue to 
avoid the inference that the first and second sections are exclusive 
of one another and to show that the second section may contain all, 
some or none of the elements of the first section, e.g, if the first 
data packet contains elements A, B, C, and D and the first section is 
made up of elements A and B, applicant does not intend the second 
section to be limited to elements C and/or D, Applicant gratefully 
acknowledges the examiner allowing amendment to the claims to clarify 
applicant's meaning. Respectfully, applicant proposes amending claims 
55 and 7 9 to replace the assertedly unclear wording with "wherein the 
second section may include at least part of the first section." 
Applicant submits that proposed amendment to claims 55 and 79 comply 
with the requirements of 35 U,S.C. 112, 2nd paragraph. 

Regarding claims 75 and 99, as previously presented, the examiner 
has asserted that the limitation of "the third instruction set" has 
insufficient antecedent basis. Applicant gratefully acknowledges that 
the examiner has pointed out an inadvertent error in the claims, in 
which applicant intended to recite "the first instruction set." 
Applicant proposes amending the subject matter of claims 75 and 99 to 
replace "the second instruction set is a sub- set of the third 
instruction set" with "the second instruction set is a sub-set of the 
first instruction set" and requests that the examiner allow the 
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proposed amendments to correct the inadvertent errors. Applicant 
subraite that proposed amendment to claims 75 and 99 would have brought 
claimg 75 and 99 into compliance with the requirements! of 35 U.S.C. 
112, 2nd paragraph and would have only required cursory review by the 
examiner . 

Regarding claims 7B ^nd 100, in light of the arguments reg<*rding 
claims 75 and 99 above, applicant submits that claims 16 and 100, as 
previously presented, also comply with the written description 
requirement of 35 U^S.C, 112, second paragraph. 

The examiner has rejected claims 53"5€, 72-74, 77-80, and 96-98 
under 35 U.S.C. 102(e) as being anticipated by Hawkinson, 

Without acquiescing in the examiner's rejection of claim 53 as 
previously presented, applicant proposes amending claim 53 to 
incorporate the limitations of claim 75, including the proposed 
amendments discussed above. Applicant submits that the proposed 
amendments to claim 53 do nothing more that narrow claim 53 to the 
scope of previously presented claim 75 and therefore should be allowed 
by the examiner under 3 7 CFR 1.116. 

The present invention, as defined by claim 53, relates to a 
method of managing network traffic (designated 16 in the embodiment 
shown in FIG. 1) being routed through a network connection device 
(designated 12) . The network connection device includes a first 
instruction set. The network traffic (16) is composed of at least 
first and second traffic flows and each traffic flow is composed of at 
least one data packet (in the embodiment shown in FlC 1, the first 
traffic flow is composed of packets A and the second traffic flow is 
composed of packets B) - The method includea instantiating a virtual . 
machine (10) on the network connection device (12) for managing the 
subsequent steps of the method using a second instruction set, which 
is a sub-set of the first instruction set (see above) , The method also 
includes receiving and storing at least a first criterion (IS) at the 
network connection device (12) , receiving and storing at least a 
second criterion (18) at the network connection device, and receiving 
and storing first and second instructions (POLICY 1 and POLICY 2 
respectively, FIG. 4) at the network connection device. The network 
connection device (12) uses the first criterion (18) to identify the 
traffic flow to which a data packet belongs. The network connection 
device (12) uses the second criterion (18) to classify a traffic flow 
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as belonging to one of at least first and second traffic flow classes. 
The first and second instructions are used for processing a data 
packet and are associated with the first and second flow classes 
respectively. The method also comprises receiving a first data packet 
(29) that belongs to the first traffic flow at the network connection 
device, determining that the first data packet belongs to the first 
traffic flow, determining the traffic flow class to which the first 
traffic flow belongs^ and processing the data packet according to the 
instructions associated with the flow class to which the first traffic 
flow belongs . 

Hawkinson describes a method for classifying information received 
by a communications system. Hawkinson' s PIG. 2 illustrates a queuing 
module 200 implemented on a communications device 100 (FIG. 1) - 
Network traffic elements, including ATM cells, are received by a 
receive module. Certain types of ATM cells, relating to flow control, 
are passed to a resource manager block 222. The resource manager 222 
responds to these cells by issuing requests for establishing, 
terminating, and modifying connections to a connection management task 
226, The connection management task 22^ then directs the resource 
manager 222 to install, de-install, or modify the connections 
(Hawkinson, Col, 6, lines 41 - 46). The resource manageir 222 also maps 
class and policy definitions, such as resource requirements, for the 
flows. A flow database 224 containing the current resource state and 
other parameters and state variables is coupled to the resource 
manager 222 (Hawkinson, Col. 7, lines 4-10). 

The receive module includes a flow classification and routing 
block 21S (FIG. 4) . The flow classification and routing block 2X8 
examines incoming data units and determines if the data units belong 
to an existing flow. If so, the flow classification and routing block 
then establishes the class of network traffic the existing flow 
belongs to using a class definition table 332 (see Table X) , a policy 
definition table 334 (see Table 2) and a pipe definition table 336 
(see Table S) • These tables instruct the flow classification and 
routing block 218 how to proceed in handling the data unit. If a new 
flow needs to be established, the flow classification and routing 
block will pass a resource request to a fly-by flow admission block 
232. The fly-by flow admission block in turn determines the quality of 
service (QoS) the new flow will require and makes a request to the 
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resource manager 222. The resource manager 222 then determines if 
there are enough resources available to meet the requested QoS , If the 
necessary resources are available, the resource manager 222 notifies 
the fly-by flow admission block 232, which in turn acquires the new 
flow. 

The present invention, as defined by amended claim 53, is 
distinct from the method described in Hawkinson. The method of claim 
53 instantiates a virtual machine to manage network traffic being 
received by the network connection device, A virtual machine is a 
software emulation of one hardware device on another hardware device. 
The operations a virtual machine is capable of performing are limited 
by i) the operations the hosting hardware device is capable of 
performing and ii) the degree to which the virtual machine's creator 
wishes to give the virtual machine access to the operations of the 
hosting hardware device. There is no technical reason why a virtual 
machine could not be instantiated on a network connection device such 
that the virtual machine has access to all of the network connection 
device's available instructions (i.e. the first instruction set). In 
accordance with the present invention however, the virtual machine is 
limited to performing actions using only operations contained within 
the second instruction set. Limiting the access to a sub-set of the 
available instructions (i.e. the second instruction set) is an 
intentional and significant limitation on the present invention^ as 
defined by claim 53 . Hawkinson does not disclose or suggest that the 
queuing module 200 is a virtual machine within the meaning of claim 
53. Further, there is no disclosure, either explicitly or implicitly, 
that the qut?uing module 200 is subject to any limitation with regard 
to available operations of the communication device 100, 

The limited instruction Set available to the virtual machine is 
an important security feature of the present invention, as defined by 
claim 53. As an example, consider two network users who are ejt-changing 
confidential communications over a network. Using the method described 
by Hawkinson, there is nothing to prevent a third party from accessing 
the queuing module 200 and modifying the policy definition table 334 
associated with the PDUs of the confidential communications. This 
could allow the third party to intercept the confidential 
communications- In contrast, using the present invention, as defined 
by claim 53, the operations of the network connection device (12) 
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that would permit the communications to be re-routed can be excl\xded ' 
from the 2nd instruction set thereby making the confidential 
communications more secure. 

In view of the above arguments, applicant submits claim 53 is 
patentable. It follows that dependent claims 54-74 and 76 are also 
patentable . 

Applicant further submits that the above arguments relating to 
claim 53 apply equally to claim 77, which has been amended to 
incorporate the limitations of claim 99 similarly to amended claim 53 
and applicant submits that claim 77 is therefore patentable. It 
follows that claims 78-98 and 100 are also patentable. 
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